mxcoppell/mcp-server-oauth
If you are the rightful owner of mcp-server-oauth and would like to certify it and/or have it hosted online, please leave a comment on the right or send an email to henry@mcphub.com.
The MCP OAuth Server is a comprehensive implementation of the Model Context Protocol (MCP) with OAuth 2.1 authorization, supporting both stdio and HTTP transports.
get-user-info
Get information about the current authenticated user (HTTP transport only).
place-order
Place a trading order (requires authentication for HTTP transport).
fetch_market_data
Retrieve financial market data for a given symbol.
calculate_portfolio_metrics
Calculate portfolio performance metrics.
MCP Server with OAuth & Capabilities
A comprehensive Model Context Protocol (MCP) server implementation demonstrating OAuth 2.1 authorization, dual transport support (stdio/HTTP), and all core MCP capabilities following the 2025-06-18 specification.
๐ Features
- Dual Transport Support: stdio and Streamable HTTP with Server-Sent Events
- OAuth 2.1 Authorization: Bearer token authentication for HTTP transport
- Complete MCP Implementation: Tools, Resources (streaming & non-streaming), and Prompts
- Security-First Design: Proper token validation, audience checking, and error handling
- Trading API Integration: Financial market data examples
- TypeScript: Fully typed with strict type checking
- MCP Inspector Compatible: Ready-to-use configurations included
๐ Requirements
- Node.js 18+
- TypeScript 5.2+
- MCP Inspector (optional, for testing)
๐ ๏ธ Installation
# Clone the repository
git clone <your-repo-url>
cd mcp-server-oauth
# Install dependencies
npm install
# Build the project
npm run build
โ๏ธ Configuration
Setup Environment
-
Copy the environment template:
cp .env.sample .env -
Update
.envwith your Auth0 configuration values (see template for guidance)
Environment Variables
| Variable | Description | Default | Required |
|---|---|---|---|
MCP_TRANSPORT | Transport type (stdio or http) | stdio | No |
MCP_HTTP_PORT | HTTP server port | 6060 | No |
ENABLE_AUTH | Enable OAuth authentication | true | No |
CORS_ORIGIN | CORS origin | * | No |
OAUTH_ISSUER | Auth0 tenant URL | https://your-tenant.auth0.com | For HTTP auth |
OAUTH_AUDIENCE | API audience/identifier | https://your-api-identifier | For HTTP auth |
OAUTH_CLIENT_ID | Auth0 application client ID | your-auth0-client-id | For HTTP auth |
OAUTH_RESOURCE_NAME | Resource name in OAuth metadata | Your API Name | No |
OAUTH_API_SCOPES | Supported API scopes (comma-separated) | scope1,scope2,scope3 | No |
๐ Usage
Stdio Transport (No Authentication)
# Direct execution
npm run start:stdio
# Development mode
npm run dev:stdio
# Via MCP Inspector
npm run inspector:stdio
HTTP Transport (With OAuth)
# Direct execution
npm run start:http
# Development mode
npm run dev:http
# Via MCP Inspector (connect to running server)
npx @modelcontextprotocol/inspector
# Then connect to: http://localhost:6060/mcp
๐ OAuth Authentication
๐ For detailed authentication architecture and flows, see
Quick Start
For HTTP transport, include Bearer token in Authorization header:
Authorization: Bearer <your-jwt-token>
Invalid/missing tokens return:
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer resource_metadata="http://localhost:6060/.well-known/oauth-protected-resource"
Well-Known Discovery Endpoint
The server exposes OAuth metadata at:
GET /.well-known/oauth-protected-resource
Response (example with configured values):
{
"resource": "https://your-api.example.com/",
"resource_name": "Your API Name",
"authorization_servers": [
"https://your-tenant.auth0.com/"
],
"scopes_supported": [
"openid",
"profile",
"api:read",
"api:write",
"admin"
],
"bearer_methods_supported": ["header"]
}
Note: The actual values are configured via environment variables. See
.env.samplefor configuration details.
๐ ๏ธ Capabilities
Tools
get-user-info
Get information about the current authenticated user (HTTP transport only).
Parameters:
includeDetails(optional): Whether to include detailed user information (default: false)
Example:
{
"name": "get-user-info",
"arguments": {
"includeDetails": true
}
}
place-order
Place a trading order (requires authentication for HTTP transport).
Parameters:
symbol(required): Stock symbol to tradeside(required): Order side ("buy" or "sell")quantity(required): Number of shares
Example:
{
"name": "place-order",
"arguments": {
"symbol": "AAPL",
"side": "buy",
"quantity": 100
}
}
fetch_market_data
Retrieve financial market data for a given symbol.
Parameters:
symbol(required): Stock symbol (e.g., "AAPL", "TSLA")timeframe(optional): Data timeframe ("1m", "5m", "15m", "1h", "1d")
Example:
{
"name": "fetch_market_data",
"arguments": {
"symbol": "AAPL",
"timeframe": "1d"
}
}
calculate_portfolio_metrics
Calculate portfolio performance metrics.
Parameters:
account_id(required): Account IDmetric_type(optional): Metric type ("return", "volatility", "sharpe_ratio", "all")
Example:
{
"name": "calculate_portfolio_metrics",
"arguments": {
"account_id": "ACC001",
"metric_type": "all"
}
}
Resources
Authentication Token Information: auth://token/info
Display current authentication token information and decoded claims.
URI: auth://token/info
Non-Streamable: account://info/ACC001
Get account information and portfolio summary (fixed account ID).
URI: account://info/ACC001
Streamable: stream://market/AAPL
Real-time market data stream for AAPL using Server-Sent Events.
URI: stream://market/AAPL
Prompts
trading_analysis
Generate comprehensive trading analysis and market insights.
Arguments: None (provides general market analysis based on authentication status)
portfolio_optimization
Optimize portfolio allocation and risk management.
Arguments: None (provides general optimization guidance based on authentication status)
risk_assessment
Comprehensive risk analysis and mitigation strategies.
Arguments: None (provides general risk assessment based on authentication status)
๐งช Testing with MCP Inspector
Stdio Mode
[Use the stdio configuration from memory][[memory:2513256715134277487]]
npx @modelcontextprotocol/inspector --config config/mcp-stdio-config.json
HTTP Mode
# Start the server first
npm run start:http
# Then connect inspector to running server
npx @modelcontextprotocol/inspector
# Connect to: http://localhost:6060/mcp
๐ง Development
Scripts
npm run build # Build TypeScript
npm run dev # Development mode with watch
npm run test # Run tests
npm run lint # Lint code
npm run lint:fix # Fix linting issues
File Structure
mcp-server-oauth/
โโโ .env.sample # Environment template
โโโ .env # Your environment config (git ignored)
โโโ src/
โ โโโ server.ts # Main MCP server
โ โโโ index.ts # Entry point
โ โโโ config.ts # Configuration
โ โโโ transports/
โ โ โโโ stdio.ts # Stdio transport
โ โ โโโ http.ts # HTTP transport
โ โ โโโ factory.ts # Transport factory
โ โโโ auth/
โ โ โโโ oauth.ts # OAuth handler
โ โ โโโ well-known.ts # Discovery endpoint
โ โ โโโ validator.ts # Token validation
โ โโโ capabilities/
โ โ โโโ tools.ts # Tool implementations
โ โ โโโ resources.ts # Resource handlers
โ โ โโโ prompts.ts # Prompt definitions
โ โโโ types/
โ โโโ index.ts # Type definitions
โโโ config/
โ โโโ mcp-stdio-config.json # Stdio config
โโโ README.md
๐ก๏ธ Security
- JWT signature verification
- Audience and issuer validation
- Expiration time checking
- CORS policy enforcement
- Input validation with Zod
- Error message sanitization
- Rate limiting ready
๐ MCP Specification Compliance
This implementation follows the MCP specification version 2025-06-18:
- JSON-RPC 2.0 messaging
- Proper capability registration
- Error handling standards
- Transport-agnostic design
- OAuth 2.1 security patterns
๐ค Contributing
- Fork the repository
- Create a feature branch
- Make your changes
- Add tests if applicable
- Run linting and tests
- Submit a pull request
๐ License
MIT License - see LICENSE file for details.